How to Secure Recipient Templates
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
In Microsoft Exchange Server 2007, you can use an existing recipient as a template. This allows you to provision recipients in a consistent manner without having to explicitly specify all configuration settings. While you can use an existing recipient as a template when creating new recipients, you can also maintain specific recipients that are dedicated to this purpose. A recipient that is used solely as a template for provisioning new recipients is called a recipient template.
A recipient template is not associated with a real person, resource, or group. Therefore, you should secure recipient templates to minimize the risks that are associated with having a generic account. This is especially important for mailbox and mail user templates because they both have Active Directory directory service logon credentials and can be used to access the resources in your organization in an unpredictable manner if they are not properly secured.
This topic explains how to use Active Directory Users and Computers and the Exchange Management Console or the Exchange Management Shell to secure recipient templates.
Before You Begin
To perform this procedure, the account you use must be delegated the following:
Exchange Recipient Administrator role
Account Operator role for the applicable Active Directory containers
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
Procedure
The procedure you perform to secure a recipient template is the same for all recipients. However, you must perform additional tasks for recipients that have Active Directory logon credentials, such as mailboxes and mail users. This topic is separated into the following sections:
Securing mailbox and mail user templates
Securing distribution group, dynamic distribution group, and mail contact templates
Securing Mailbox and Mail User Templates
Both mailbox and mail user templates have Active Directory logon credentials and can access resources to which they are granted permission. Therefore, you must make sure that the associated user account for a mailbox or a mail user template is never used to access resources.
Note
Although the procedures in this section show you how to secure a mailbox template, the process is identical for a mail user template.
At a minimum, to secure mailbox and mail user templates, you should perform the following steps.
To use Active Directory Users and Computers to secure a mailbox template
Start Active Directory Users and Computers.
In the console tree, select the organizational unit (OU) that contains the user account for the mailbox template.
In the details pane, right-click the user account that is associated with the mailbox template, and then click Disable Account. This step prevents the account from being used to log on to Active Directory.
Right-click the user account you just disabled, and then click Properties.
In <Mailbox> Properties, on the Member Of tab, click Add to open the Select Groups dialog box.
In the Enter the object names to select box, type Template Accounts, and then click Check Names.
Click OK to close the Select Groups dialog box.
Under Member of, click the Template Accounts group, and then click Set Primary Group.
Select the Domain Users group, and then click Remove. This step ensures that the account cannot obtain access to network resources, even if it is accidentally enabled.
Important
If the template user is a member of only the Domain Users security group, you will not be able to remove its membership because it is the primary security group for that user. In Active Directory, every user must be a member of at least one security group. Therefore, you should create a dedicated security group to use as the primary security group for all the user accounts you use as a template. This security group must not be used for assigning permissions. For detailed steps about how to secure groups, see Securing Active Directory Administrative Groups and Accounts. This procedure assumes that you have already created a security group called Template Accounts for this purpose.
Click OK.
The following additional steps are also recommended for securing a mailbox or mail user template. However, the configuration settings changed by performing these steps are copied to any new recipients that are provisioned by using this template. Therefore, if you perform the following procedure, you should remember to reset these settings for any new recipients that are provisioned by using this template.
To use the Exchange Management Console to take additional steps to secure a mailbox template
Start the Exchange Management Console.
In the console tree, click Recipient Configuration.
In the result pane, right-click the mailbox template, and then click Properties.
In <Mailbox Template> Properties, on the General tab, select the Hide from Exchange address lists check box. This will prevent the mailbox or mail user template from appearing in the global address list (GAL) or other Exchange address lists.
In <Mailbox Template> Properties, on the Mail Flow Settings tab, select Message Size Restrictions, and then click Properties.
In Message Size Restrictions, select the Maximum message size (in KB) check box for Receiving message size. Type 0 in the text box. Because recipient templates are not monitored, this step ensures that the mailbox template does not receive e-mail messages.
Click OK.
Click OK.
To use the Exchange Management Shell to take additional steps to secure a mailbox template
To take additional steps to secure the mailbox template Template Mailbox, run the following command: (For a mail user, use the Set-MailUser cmdlet with the same parameters.)
Set-Mailbox -Identity "Template Mailbox" -HiddenFromAddressListsEnabled $true -MaxReceiveSize 0KB
To reset these additional settings for new mailboxes or mail users that are provisioned by using a secured recipient template, you can repeat the previous procedures and reverse the changes. However, the pipelining feature of the Exchange Management Shell allows you to provision the new recipient and reset these settings by using only one line of code. The following is an example that accomplishes this for a mailbox. The process is the same for a mail user, but you must instead use the Get-MailUser, New-MailUser, and Set-MailUser cmdlets.
To use the Exchange Management Shell to create a new mailbox by using a recipient template and reset the additional configuration settings that were taken to secure the mailbox template
To create a mailbox for John Smith by using the mailbox template Template Mailbox, run the following commands: (The result of the New-Mailbox cmdlet is pipelined to the Set-Mailbox cmdlet to reset the additional configuration settings that were taken to secure the mailbox template.)
$Temp = Get-Mailbox "Template Mailbox" New-Mailbox -Name "John Smith" -UserPrincipalName "jsmith@contoso.com" -OrganizationalUnit "contoso.com/Users" -Database "Server01\Mailbox Database" -TemplateInstance $Temp | Set-Mailbox -HiddenFromAddressListsEnabled $false -MaxReceiveSize unlimited
Enter the password for the new mailbox when prompted.
For detailed syntax and parameter information, see the following reference topics:
Securing Distribution Group, Dynamic Distribution Group, and Mail Contact Templates
The following procedure is recommended for securing distribution group, dynamic distribution group, and mail contact templates. However, the configuration settings changed by performing these steps are copied to any new recipients that are provisioned by using this template. Therefore, if you perform the following procedure, you should remember to reset these settings for any new recipients that are provisioned by using this template.
Important
You should never use a universal security group as a distribution group template. Universal security groups can be used to grant access permissions to resources in Active Directory. It is an unnecessary security risk to use a group that has a security principal in Active Directory as a distribution group template because you must specify the distribution group type for any new distribution groups.
Note
Although the procedures in this section show you how to secure a mail contact template, the process is identical for a distribution group or dynamic distribution group template.
To use the Exchange Management Console to secure a mail contact template
Start the Exchange Management Console.
In the console tree, click Recipient Configuration.
In the result pane, right-click the mail contact template, and then click Properties.
In <Mail Contact Template> Properties, on the General tab, select the Hide from Exchange address lists check box. This will prevent the mail contact template from appearing in the global address list (GAL) or other Exchange address lists.
In <Mail Contact Template> Properties, on the Mail Flow Settings tab, select Message Size Restrictions, and then click Properties.
In Message Size Restrictions, select the Maximum message size (in KB) check box for Receiving message size. Type 0 in the text box. Because recipient templates are not monitored, this step ensures that the mail contact template does not receive e-mail messages.
Click OK.
Click OK.
To use the Exchange Management Shell to secure a mail contact template
To take additional steps to secure the mail contact template Template Mail Contact, run the following command: (For a distribution group, use the Set-DistributionGroup cmdlet, and for a dynamic distribution group, use the Set-DynamicDistributionGroup cmdlet with the same parameters.)
Set-MailContact -Identity "Template Mail Contact" -HiddenFromAddressListsEnabled $true -MaxReceiveSize 0KB
To reset these additional settings for recipients that are provisioned by using a secured recipient template, you can repeat the previous procedures and reverse the changes. However, the pipelining feature of the Exchange Management Shell allows you to provision the new recipient and reset these settings by using only one line of code. The following is an example that accomplishes this for a mail contact. The process is the same for a distribution group or a dynamic distribution group, but you must instead use the Get-DistributionGroup, New-DistributionGroup, and Set-DistributionGroup cmdlets for the distribution group recipient type and the Get-DynamicDistributionGroup, New-DynamicDistributionGroup, and Set-DynamicDistributionGroup cmdlets for the dynamic distribution group recipient type.
To use the Exchange Management Shell to create a new mail contact by using a recipient template and reset the additional configuration settings that were taken to secure the mail contact template
To create a mail contact for John Smith by using the mail contact template Template Mail Contact, run the following commands: (The result of the New-MailContact cmdlet is pipelined to the Set-MailContact cmdlet to reset the additional configuration settings that were taken to secure the mail contact template.)
$Temp = Get-MailContact "Template Mail Contact" New-MailContact -Name "John Smith" -UserPrincipalName "jsmith@contoso.com" -OrganizationalUnit "contoso.com/Users" -Database "Server01\Mailbox Database" -TemplateInstance $Temp | Set-MailContact -HiddenFromAddressListsEnabled $false -MaxReceiveSize unlimited
For detailed syntax and parameter information, see the following reference topics:
For More Information
For detailed steps about how to create recipients by using recipient templates, see How to Use Templates to Create Recipients.
To learn more about recipients, see Understanding Recipients.
For more information about the pipelining feature in the Exchange Management Shell, see Pipelining.
For more information about the management interfaces in Exchange 2007, see Management Interfaces.